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Pascal PAILLIER 

Application No. : Unassigned 
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For: PUBLIC AND PRIVATE KEY 
CRYPTOGRAPHIC METHOD 



Group Art Unit: Unassigned 
Examiner: Unassigned 



PRELIMINARY AMENDMENT 

Assistant Commissioner for Patents 
Washington, D.C. 20231 

Sir: 

Prior to examination and the calculation of filing fees, kindly amend the above- 
identified application as follows: 



IN THE SPECIFICATION: 

Page 1, immediately following the title appearing on line 1, insert the following: 
-This disclosure is based upon, and claims priority from French Application No. 
99/00341, filed on January 14, 1999 and International Application No. PCT/FR99/02918, 
filed November 25, 1999, which was published on July 20, 2000 in a language other than 
English, the contents of which are incorporated herein by reference. 
Background of the Invention — 
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Page 6, delete lines 13 and 14. 

Page 6, before line 15, insert the following heading: 
— Brief Description of the Drawings — . 

Page 7, before line 4, insert the following heading: 
— Detailed Description — . 

Add the following Abstract: 

—The invention concerns a cryptographic method for generating public keys and 
private keys. Two distinct first numbers p and q, of neighbouring value are selected, and 
the number n equal to the product of p.q is calculated. The lowest common multiple of the 
numbers (p-1) and (q-1) A(n) = PPCM(p-l, q-1) is then calculated. A number g, 0<g<n 2 , 
is then determined which verifies the two following conditions: a) g is invertible modulo 
n 2 ; and b) ord(g,n 2 ) = 0 mod n. The public key is formed by the parameters n and g and 
its private key is formed by the parameters p, q and A(n)or by the parameters p and q. An 
encryption method for a number m representing a message, 0<m<n, involves calculating 
the cryptogram c = g^od n 2 .~ 
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IN THE CLAIMS: 

Kindly replace claims 1-20, as follows. 

1 . (Amended) A cryptographic method for generating public and private keys 
in a device that is able to exchange messages on at least one communication channel, the 
private key being stored secretly in said device and the public key being broadcast publicly, 
the generation method comprising the following steps: 

- selecting two prime numbers p and q which are distinct and of similar sizes; 

- calculating the number n equal to the product of p and q; 

- calculating the lowest common multiple of the numbers (p-1) and (q-1): 
A,(n) = LCM(p-l, q-1) 

- determining a number g, 0<g<n 2 , which satisfies the following two conditions 
during the calculation of a cryptogram c, where c=g ra mod n 2 : 

a) g is invertible modulo n 2 , and 

b) ord(g,n 2 ) = 0 mod n, and 

- selecting g = 2 if g satisfies said conditions a) and b); 

wherein the public key of said device is formed by the parameters n and g and its 
private key is formed by at least the parameters p and q. 

2. (Amended) A cryptographic communication system with public and private 
keys generated according to Claim 1 , comprising a communication channel and first and 
second communicating devices, each device comprising at least one communication 
interface, data processing means and storage means, wherein an encryption method is 
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implemented in said first device to send a number m representing a message, 0<m<n, to 
said second device, said encryption method comprising the following steps: 

- using the parameters of the public key of the second device to assign the values of 
the public key to the parameters n and g, 

- calculating the cryptogram c=g m mod n 2 , and 

- transmitting said cryptogram over the communication channel to the second 

device. 

3. (Amended) A system according to Claim 2, wherein said first device 
implementing the encryption method also comprises a generator for a random integer 
number r, and wherein said first device: 

- performs the drawing of a random integer number r, and 

- calculates the cryptogram c by performing the encryption calculation: 
c=g ra+nr mod(n 2 ). 

4. (Amended) A system according to Claim 2, wherein said first device 
implementing the encryption method also comprises a generator for a random integer 
number r, and wherein said first device: 

- performs the drawing of a random integer number r, and 

- calculates the cryptogram c by performing the encryption calculation: 
c=g m r n mod(n 2 ). 
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5. (Amended) A system according to Claim 4, wherein said second device 
implements a decryption method, in order to decrypt said cryptogram c, which comprises 
performing the calculation 

m= log n (c* (n) mod n 2 ).log n (g Mn) mod n 2 )" 1 mod n 

x-l 

where log n (x)= 



x being any integer. 

6. (Amended) A system according to Claim 5, wherein said second device 
implementing said decryption method precalculates the quantity: 

a n g = log n (g A - (n) mod n 2 )" 1 mod n 

and stores it secretly in a protected area of a program memory. 

7. (Amended) A system according to Claim 5, wherein said second device 
performs the following calculation steps during said decryption method, using the Chinese 
Remainder Theorem CRT: 

m p =log p (c p " 1 mod p 2 ).log p (g p l mod p 2 ) 1 mod p. 
m q =log q (c q l mod q 2 ).log q (g q l mod q 2 )" 1 mod q. 
m=CRT(m p ,m (} ,p,q), where log p and log q are such that 
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x being any integer. 

8. (Amended) A system according to Claim 7, wherein said second device 
implementing said decryption method precalculates the following quantities 

a p g = logpCgP" 1 mod p 2 )" 1 mod p and 
a q, g = logqCg 11 " 1 mod q 2 )" 1 mod q 

and stores them secretly in a protected area of a program memory. 

9. (Amended) A cryptographic communication system with public and private 
keys generated according to Claim 1 , comprising a communication channel and first and 
second communicating devices, each device comprising a communication interface, data 
processing means and storage means, wherein an encryption method is implemented in said 
first device for sending a number m representing a message, 0<m< n 2 , to said second 
device, said encryption method comprising the following steps: 

- using the parameters of the public key of the second device to assign the values of 
the public key to the parameters n and g, 

- performing the following calculations: 

1. m,=mmodn 

2. m 2 = (m-ml)/n 

3. c=g ml m 2 n mod n 2 , and 
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- transmitting the cryptogram c over the communication channel to the second 

device. 

10. (Amended) A system according to Claim 9, wherein the second device 
receives the cryptogram c and implements a decryption method, in order to decrypt said 
cryptogram, which comprises the performance of the following calculation steps: 

1 . m 1 =log n (c Wn) mod n 2 ).log n (g Wn) mod n 2 ) 1 mod n 

2. w=cg" ml modn 

3. m 2 =w 1/nmodWn) modn 

4. m = mj + nm 2 . 

11. (Amended) A system according to Claim 10, wherein the second device 
implementing said decryption method precalculates the following quantities: 

a„, g =log n (g x(n) mod n 2 )" 1 mod n, and 
Y„= 1/n mod A,(n), 

and stores them secretly in a protected area of a program memory. 

12. (Amended) A system according to Claim 10, wherein said second device 
performs the following calculation steps during said decryption method, using the Chinese 
Remainder Theorem: 

1 . m liP =log p (c p - 1 mod p 2 )log p (g p l mod p 2 ) 1 mod p 

2. w p =cg" ml - p mod p 
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3. m 2 , 

4. m 1( 

5. w q = 

6. m 2£ 
7. 

8. m 2 = 

9. m = 



= Wp l/qmodp-l modp 

=log q (c q ~ 1 mod q 2 ).log q (g q_1 mod q 2 )" 1 mod q 
zcg -mi, q mod q 

= Wq l/pmodq-l modq 

=CRT(m lp m 2p ,p,q) 

-CRTCmj q ,m 2 q ,p,q), and 

= m l + pqm 2 where log p and log q are such that 

log.(x)=£^-, 



and x is any integer. 

13. (Amended) A system according to Claim 12, wherein said second device 
precalculates the following quantities: 
a Pig = log p (g p l mod p 2 ) 1 mod p 
cc q s = \og q (g q - x mod q 2 )" 1 mod q 
Y p = 1/q mod p-1 
Y q = 1/p mod q-1 

and stores them secretly in a protected memory area of a program memory. 
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14. (Amended) A system according to claim 10, wherein the decryption method 
is used for calculating the signature s of a message m and the encryption method is used for 
verifying said signature. 

15. (Amended) A cryptographic communication system with public and private 
keys generated according to Claim 1, comprising a communication channel and first and 
second communicating devices, each device comprising a communication interface, data 
processing means and storage means, wherein an encryption method is implemented in said 
first device to send a number m representing a message, 0<m<n, to said second device, 
said encryption method comprising the following steps: 

- using the parameters of the public key of the second device to assign the values of 
the public key to the parameters n and g, 

- calculating the cryptogram c=g m mod n 2 , and 

- transmitting said cryptogram c over the communication channel to the second 

device. 

16. (Amended) A system according to Claim 15, wherein said first device that 
implements the encryption method also comprises a generator for a random integer number 
r, and wherein said device: 

- performs the drawing of a random integer number r, and 

- calculates the cryptogram c, performing the encryption calculation: c =g ra+nr 
mod(n 2 ). 
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17. (Amended) A system according to Claim 15 wherein the second device 
implements a method of decryption of the received cryptogram c, comprising the 
performance of the following calculation: 

m= log n (c u mod n 2 ).log n (g u mod n 2 )" 1 mod n, 

where u is an integer that divides (p-1) and (q-1). 



18. (Amended) A method according to Claim 17, wherein said second device 
implementing said decryption method precalculates the quantity: 
Pn,g=logn(g u niodn 2 )" 1 mod n 

and stores it secretly in a protected area of a program memory. 



19. (Amended) A system according to Claim 17, wherein said second device 
performs the following calculation steps during said decryption method, using the Chinese 
Remainder Theorem: 

1 . mp=log p (c u mod p 2 ).log p (g u mod p 2 )" 1 mod p 

2. m q =log q (c u mod q 2 ).log q (g u mod q 2 )" 1 mod q 

3. m =CRT(mp,m q ,p,q), where log p and log q are such that 

log.(x)=^-^ 
i 

x being any integer. 
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20. (Amended) A system according to Claim 19, wherein said second device 
implementing said decryption method precalculates the following quantities: 
P P ,g =1 °gn(g u mod p 2 )" 1 mod p 
P q ,g =1 °gn(g u mod q 2 )" 1 mod q 

and stores them secretly in a protected area of a program memory. 

REMARKS 

Entry of the foregoing amendment is respectfully requested. This amendment is 
intended to place the claims in a more conventional format and eliminate the multiple 
dependency of the claims. 



Respectfully submitted, 

Burns, Doane, Swecker & Mathis, l.l.p. 




James A. LaBarre 
Registration No. 28,632 

P.O. Box 1404 

Alexandria, Virginia 22313-1404 
(703) 836-6620 



Date: July 16, 2001 
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Attachment to Preliminary Amendment dated July 16, 2001 
Marked-up Claims 1-20 

1. (Amended) A cryptographic method [comprising a method of] for 
generating public [(K)] and private [(K')l keys in a device that is able to exchange messages 
on at least one communication channel, the private key [having to be] being stored secretly 
in [the] said device and the public key [having to be] being broadcast publicly, the 
generation method comprising the following steps: 

- selecting two prime numbers p and q which are distinct and of [adjacent] similar 

sizes; 

- calculating the number n equal to the product of p and q [p,q]; 

- calculating the lowest common multiple of the numbers (p-1) and (q-1): 
^(n)=LCM(p-l, q-1) 

- determining a number g, 0<g<n 2 , which satisfies the following two conditions 
during the calculation of a cryptogram c[:] . where c=g m mod n 2 : 

a) g is invertible modulo n 2 , and 

b) ord(g,n 2 ) = 0 mod n, and 

- selecting g = 2 if g satis fies said conditions a) and hV. 

wherein the public key of [the] said device [being] is formed by the parameters n 
and g and its private key [being] is formed by [the parameters p,q and X(n) or by the] at 
least the parameters p and q[, a generation method characterised in that it consists in taking 
g=2, if g satisfies the said conditions a) and b)]. 
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Attachment to Preliminary Amendment dated July 16, 2001 
Marked-up Claims 1-20 

2. (Amended) A cryptographic communication system with public and private 
keys generated according to Claim 1, comprising a communication channel [(20)] and first 
and second communicating devices [(A, B)], each device comprising at least one 
communication interface [(H)], data processing means [(10)] and storage means [(12, 13), 
characterised in thatl . wherein an encryption method is implemented in [a] said first device 
[(A) in order] to send a number m representing a message, 0<m<n, to [a] said second 
device [(B), the] A said encryption method comprising the following steps: 

- using the parameters of the public key [(n^gg)] of the second device [(B) in order] 
to assign the values of the public key [(%,g B )] to the parameters n and g, 

- calculating the cryptogram c=g m mod n 2 , and 

- transmitting [the] said cryptogram [c then being transmitted] over the 
communication channel to the second device. 

3. (Amended) A system according to Claim 2, [characterised in that the] 
wherein said first device implementing the encryption method also comprises a generator 
[(15)] for a random integer number r, and [in that the said] wherein said first device: 

- performs the drawing of a random integer number r, and [then] 

- calculates the cryptogram c by performing the [following] encryption calculation: 
c =g m+nr mod(n 2 ). 
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Attachment to Preliminary Amendment dated July 16, 2001 
Marked-up Claims 1-20 

4. (Amended) A system according to Claim 2, [characterised in that the] 
wherein said first device implementing the encryption method also comprises a generator 
[(15)] for a random integer number r, and [in that the said] wherein said first device: 

- performs the drawing of a random integer number r, and [then] 

- calculates the cryptogram c by performing the [following] encryption calculation: 
c=g m r n mod(n 2 ). 

5. (Amended) A system according to Claim 4, [characterised in that the] 
wherein said second device [(B)] implements a decryption method, in order to decrypt [the] 
said cryptogram c, [and] which comprises [the] performing [of] the calculation 

m= log n (c Wn) mod n 2 ).log n (g Wn) mod n 2 )" 1 mod n 

r-1 

where log (x)= . 

n 

x being any integer 

6. (Amended) A system according to Claim 5, [characterised in that a device 
( B )l wherein said second device implementing [the] said decryption method precalculates 
the quantity: 

cc n g =log n (g A(n) mod n 2 )" 1 mod n 
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Attachment to Preliminary Amendment dated July 16, 2001 
Marked-up Claims 1-20 

and stores it secretly in [the] a protected area of [the] a program memoryf, x being 
any integer]. 

7. (Amended) A system according to Claim 5, [characterised in that, in one 
instance of the said decryption method, a] wherein said second device performs the 
following calculation steps during said decryp tion method, using the Chinese Remainder 
Theorem CRT: 

m p =log p (c p - 1 mod p 2 ).log p (g pl mod p 2 ) 1 mod p. 

m q =log q (c ql mod q 2 ).log q (g ql mod q 2 ) 4 mod q. 

m=CRT(mp,m q ,p,q), where log p and log q are such that 

log,.(x)=^ 



x being any integer. 

8. (Amended) A system according to Claim 7, [characterised in that a] wherein 
said second device implementing [the] said decryption method precalculates the following 
quantities 

a p g = log p (g p l mod p 2 )" 1 mod p and 

a q g = log q (g q " 1 mod q 2 )" 1 mod q 
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Attachment to Preliminary Amendment dated July 16, 2001 
Marked-up Claims 1-20 

and stores them secretly in [the] a protected area of [the] a program memory. 

9. (Amended) A cryptographic communication system with public and private 
keys generated according to Claim 1, comprising a communication channel [(20)] and first 
and second communicating devices [(A,B)L each device comprising a communication 
interface [(H)], data processing means [(10)] and storage means [(12, 13), characterised in 
that], wherein an encryption method is implemented in [a] said first device [(A)] for 
sending a number m representing a message, 0<m< n 2 , to [a] said second device [(B), the] 
said encryption method comprising the following steps: 

- using the parameters of the public key [Kg = (n B ,g B )] of the second device [(B) in 
order] to assign the values of the public key [(ng,g B )] to the parameters n and g, 

- [and] performing the following calculations: 

1. mj =m mod n 

2. m 2 =(m-ml)/n 

3. c=g ml m 2 n mod n 2 

[the said] transmitting the cryptogram c [being transmitted] over the communication 
channel to the second device. 

10. (Amended) A system according to Claim 9, [characterised in that] wherein 
the second device [(B)] receives the cryptogram c and implements a decryption method, in 



Application No. Unassigned 
Attorney's Docket No. 032326-150 
Page 6 

Attachment to Preliminary Amendment dated July 16, 2001 
Marked-up Claims 1-20 

order to decrypt [the] said cryptogram, which comprises the performance of the following 
calculation steps: 

1. m, =log n (c x(n) mod n 2 ).log n (g« n) mod n 2 )" 1 mod n 

2. w=cg~ ml mod n 

3. m 2 =w 1/nraod « n) modn 

4. m = m l + nm 2 . 

11. (Amended) A system according to Claim 10, [characterised in that a] 
wherein the second device implementing [the] said decryption method precalculates the 
following quantities: 

a n, g = l °g*(g m mod n 2 )" 1 mod and 
y n = 1/n mod X(a)^ 

and stores them secretly in [the] a protected area of [the] a program memory. 

12. (Amended) A system according to Claim 10, [characterised in that, in one 
instance of the said decryption method, a] wherein said second device performs the 
following calculation steps during said decryption method , using the Chinese Remainder 
Theorem: 

1. m^logp^P- 1 mod p^log/gP" 1 mod p 2 )" 1 mod p 

2. w p =cg ml ' p mod p 
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Attachment to Preliminary Amendment dated July 16, 2001 

Marked-up Claims 1-20 

3. m 2 , p =w p 1/qmodp - 1 modp 

4. nij q =log q (c q l mod q 2 ).log q (g q_1 mod q 2 ) 1 mod q 

5. w q =cg- ml q mod q 

6. m 2 , q =w q 1/pmod<1 - 1 modq 

7. m 1 =CRT(m 1>Pt m 2iP ,p,q) 

8. m 2 =CRT(m lq ,m 2q ,p,q), and 

9. m = m t + pqm 2 where log p and log q are such that 



log.(z)=^-, 



and x is anv integ er. 

13. (Amended) A system according to Claim 12, [characterised in that, in one 
instance of the said decryption method, a] wherein said second device precalculates the 
following quantities: 

a p g =log p (g p " 1 mod p 2 )" 1 mod p 

a q g =log q (g q " 1 mod q 2 ) 1 mod q 

Y p = 1/q mod p-1 

Y q = 1/p mod q-1 
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Attachment to Preliminary Amendment dated July 16, 2001 
Marked-up Claims 1-20 

and stores them secretly in [the] a protected memory area of [the] a program 
memory. 

14. (Amended) A system according to [any one of Claims 10 to 13, in which] 
claim 10, wherein the decryption method is used for calculating the signature s of a 
message m and the encryption method is used for verifying [the] said signature. 

15. (Amended) A cryptographic communication system with public and private 
keys generated according to Claim 1, comprising a communication channel [(20)] and first 
and second communicating devices [(A, B)], each device comprising a communication 
interface [(H)], data processing means [(10)] and storage means [(12, 13), characterised in 
that], wherein an encryption method is implemented in [a] said first device [(A) in order] to 
send a number m representing a message, 0<m<n, to [a] said second device [(B), theL said 
encryption method comprising the following steps: 

- using the parameters of the public key [(n,g)u] of the second device [(B) in order] 
to assign the values of the public key [(n^gg)] to the parameters n and g, 

- calculating the cryptogram c=g^ mod n 2 , and 

[the] transmitting said cryptogram c [then being transmitted] over the 
communication channel to the second device. 



Application No. Unassigned 
Attorney's Docket No. 032326-150 
Page 9 

Attachment to Preliminary Amendment dated July 16, 2001 
Marked-up Claims 1-20 

16. (Amended) A system according to Claim 15, [characterised in that the] 
wherein said first device that implements the encryption method also [comprising] 
comprises a generator [(15)] for a random integer number r, and [in that the] wherein said 
device: 

- performs the drawing of a random integer number r, and [then] 

- calculates the cryptogram c, performing the [following] encryption calculation: 
c=g m+nT mod(n 2 ). 

17. (Amended) A system according to Claim 15 [or 16, characterised in that] 
wherein the second device implements a method of decryption of the received cryptogram 
c, comprising the performance of the following calculation: 

m= log n (c u mod n 2 ).log n (g u mod n 2 )" 1 mod n,, 
where u is an i nteger that divides (p-1) and (q-1) . 

18. (Amended) A method according to Claim 17, [characterised in that a] 
wherein said second device implementing [the] said decryption method precalculates the 
quantity: 

Pn,g = l°gn(g Umo dn 2 )" 1 mod n 

and stores it secretly in [the] a protected area of [the] a program memory. 
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19. (Amended) A system according to Claim 17, [characterised in that, in one 
instance of the said decryption method, a] wherein said second device performs the 
following calculation steps during said decryption method , using the Chinese Remainder 
Theorem: 

1 . nip = log p (c u mod p 2 ) . log p (g u mod p 2 )" 1 mod p 

2. m q =log q (c u mod q 2 ).log q (g u mod q 2 )" 1 mod q 

3. m =CRT(mp,m q ,p,q), where log p and log q are such that 

log/x)=^ 

x being any integer. 

20. (Amended) A system according to Claim 19, [characterised in that a] 
wherein said second device implementing [the] said decryption method precalculates the 
following quantities: 

p p g =log n (g u mod p 2 ) 1 mod p 
P q g =log n (g u mod q 2 )" 1 mod q 

and stores them secretly in [the] a protected area of [the] a program memory. 
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PUBLIC _AND PRIVATE KEY CRYPTOG RAPHIC METHOD 

The present invention relates to a public and 
private key cryptographic method. It can be used in 
all applications in which it is necessary to ensure 
confidentiality of the messages transmitted over any 
channel and/or to identify with certitude a device with 
which messages have been exchanged. 

The confidentiality of messages transmitted 
between two devices A and B over any communication 
channel is obtained by encryption of the information 
transmitted in order to make it unintelligible to any 
persons for whom it is not intended. The sure 

identification of a message is for its part based on 
the calculation of the digital signature of a message. 

In practice, two types of cryptographic method can 
be used, the so-called symmetrical one, with secret 
keys, a well-known example of which is the DES... the so- 
called asymmetric one, using a pair of public and 
private keys and described in "Public-key cryptosystem" 
in "New Directions in Cryptography", IEEE Transactions 
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on Information Theory, Nov. 1976, by Messrs Diffie and 
Hellman. A well-known example of an asymmetric method 
is the RSA, from the name of its inventors Ronald 
Rives t, Adi Shamir and Leonard Adleman. A description 
of this RSA method can be found in US patent 4.4 05.829. 

In the invention, the concern is more particularly 
with an asymmetric cryptographic method. 

An encryption method according to an asymmetric 
cryptographic method consists mainly, for a transmitter 
A which wishes to confidentially send a message to a 
destination B, in taking cognisance, for example in a 
directory, of the public key K B of the destination B, 
applying in the encryption method E to the message m to 
be transmitted, using this public key, and sending, to 
the destination B, the resulting cryptogram : 

c: c=E KB (m) . 

This method consists mainly, for the destination 
B, in receiving the cryptogram c, and decrypting it in 
order to obtain the original message m, applying the 
private key K'b which it alone knows in the decryption 
method D to the cryptogram c: m=Dk'b(c). 

According to this method anyone can send an 
encrypted message to the destination B, but only the 
latter is capable of decrypting it. 

Normally an asymmetric cryptographic method is 
used for the generation/verification of the signature. 
In this context, a user who wishes to prove his 
identity uses a private key, known to him alone, to 
produce a digital signature s of a message m, a 
signature which he transmits to the destination device. 
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The latter implements the verification of the signature 
using the public key of the user. Any device thus has 
the capability of verifying the signature of a user, 
taking cognisance of the public key of this user and 
5 applying it in the verification algorithm. However, 
only the user concerned has the ability to generate the 
correct signature using his private key. This method 
is for example much used in access control systems or 
banking transactions. It is in general coupled with 

10 the use of an encryption method, for encryption of the 
signature before transmitting it. 

For this generation/verification of digital 
signatures, it is possible to use in practice 
asymmetric cryptographic methods dedicated to this 

15 application, such as the DSA (Digital Signature 
Algorithm) , which corresponds to an American standard 
proposed by the US National Institute of Standards and 
Technology. It is also possible to use the RSA, which 
has the property of being able to be used both in 

20 encryption and in signature generation. 

In the invention, the concern is with a 
cryptographic method which can be used for the 
encryption of messages and for the generation of a 
digital signature. In the current state of the art, 

25 only the RSA, of which there exist many variant 
implementations, offers this double functionality. 

The RSA comprises a step of generating the public 
K and private K' keys for a given device in which the 
procedure is as follows: 
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- two distinct large prime numbers p and q are 
chosen, 

- their product n=p.q is calculated, 

- a prime number is chosen with the lowest common 
5 multiple of (p-1) (q-1) . In practice, e is often taken 

to be equal to 3 . 

The public key K is then formed by the pair of 
parameters (n,e) and the secret key K' is formed by the 
pair of parameters (p,q). 
10 By choosing p and q of large size, their product n 

is also of large size. n is therefore very difficult 
to factorise: it is ensured that it will not be 
possible to find the secret key K'=(p,q) from a 
knowledge of n. 

15 The method of encryption of a number m 

representing a message M, 0<m<n then consists in 
performing the following calculation: 
c=E B (m) =m e mod n 

by means of the public key K=(n,e) . 
20 The decryption method then for its part consists 

of the following reverse calculation: 
m=c d mod (n) 

by means of the private key K' = (p,q), kept secret, 

where 

25 d = — mod(p -l)(q -1). 

e 

It has been seen that the RSA has the 
particularity of being able to be used for signature 
verification. The corresponding method of signature 
generation by a user A consists in using the decryption 
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method with the secret key in order to produce the 
signature s of a number m representing a message. 
Thus: s=m d mod n. 

This signature s is transmitted to a destination 
5 B. The latter, who knows m (for example, A transmits s 
and m) , verifies the signature by performing the 
reverse operation, that is to say using the encryption 
method with the public key of the transmitter A. That 
is to say he calculates v=s e mod n, and verifies v=m. 

10 In general, to improve the security of such a 

signature verification method, a hash function is first 
applied to the number m before calculating the 
signature, which can consist of permutations of bits 
and/or a compression. 

15 When a message M to be encrypted or signed is 

spoken of, it is a case of course of digital messages, 
which can result from prior digital coding. These are 
in practice strings of bits, whose binary size (the 
number of bits) can be variable. 

2 0 However, a cryptography method such as the RSA is 

such that it makes it possible to encrypt, with the 
public key (n,e), any number between 0 and n-1. In 
order to apply it to a message M of any size, it is 
therefore necessary in practice to divide this message 

25 into a series of numbers m which will each satisfy the 
condition 0<m<n. Then the encryption method is applied 
to each of these numbers. Hereinafter, the concern is 
therefore with the application of the cryptographic 
method to a number m representing the message M. m can 

30 be equal to M, or be only a part thereof. Hereinafter 
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m is used indifferently to designate the message or a 
number representing the message. 

One object of the invention is an asymmetric 
cryptography method different from those based on the 
RSA. 

One object of the invention is a method based on 
other properties, which can be applied either to the 
encryption of messages or to the generation of 
signatures . 

One object of the invention is a cryptography 
method which affords, in certain configurations, a more 
rapid processing time. 

As characterised, the invention relates to a 
cryptography method according to Claim 1. 

The invention will be better understood from a 
reading of the following description, given as an 
indication and in no way limitative of the invention, 
and with reference to the accompanying drawings, in 
which : 

Figure 1 is a functional diagram of a 
cryptographic communication system of the asymmetric 
type; 

Figure 2 is a functional diagram of a 
communicating device used in a cryptographic 
communication system according to the invention; 

Figure 3 is a flow diagram of a message 
encryption/decryption session using the cryptographic 
method according to the invention; and 
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- Figure 4 is a flow diagram of a signature 
generation/verification session using the cryptographic 
method according to the invention. 

In order to clearly understand the invention, it 
5 is necessary to carry out a few mathematical 
preliminaries . 

In the description, the following mathematical 
notations are used: 

(1) If a is a relative integer and b a strictly 
10 positive integer, a mod b (a modulo b) is the modular 

residue of a relatively to b and designates the unique 
integer strictly less than b such that b divides (a - a 
mod b) . 

(2) (Z/bZ) designates the set of residues modulo 
15 b and forms a group for the modular addition. 

(3) (Z/bZ)* designates the set of integers 
invertible modulo b and forms a group for the modular 
multiplication. 

(4) The order of an element a of (Z/bZ)* is the 
20 smallest natural integer ord(a,b) such that a ° r d(a,b) =1 

mod b . 

(5) LCM(a,b) designates the lowest common 
multiple of a and b. 

(6) HCF(a,b) designates the highest common factor 
25 of a and b. 

(7) A,(a) designates the Euler indicator of a. If 
a=p.q, Ma)=LCM(p-l, q-1) - 

(8) The unique solution, obtained by using the 
well-known Chinese Remainder Theorem, of the following 

30 system of modular equations: 
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x=ai mod bi 
x=a 2 mod b 2 



5 where the integers a. ± and bi are given and where 

Vi,j with i * j, HCF(bi,bj)=l, is denoted 
x=CRT (ai, . . .a k , bi, ...b k ). 

(9) The binary size of a number a is the number 
of bits in which a is written. 
10 Now let n be an integer number of arbitrary size. 

The set Un={x<n 2 /x=l mod n} is a multiplicative 
subgroup of (Z/n 2 Z)*. 

Then let log n be the function defined on the set 

Un by: 

15 iog n (x) = ^i 

n 

This function has the following property: 
V xeUn, V ye Un, log n (xy mod n 2 ) = log n (x) + 
log n (y) mod n. 

Consequently, if g is an arbitrary integer number 
20 belonging to Un, this gives, for any number m, 0<m<n: 
log n {g m mod n 2 ) =m. log n (g) mod n. 

This mathematical property is at the basis of the 
cryptography method used in the invention, which will 
now be described. 
25 Figure 1 shows a cryptographic communication 

system, using an asymmetric cryptographic method. It 
comprises devices communicating, in examples A and B, 
on a communication channel 1. The example shows a 
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bidirectional channel. Each device contains a pair of 
public K and private K' keys. 

The public keys are for example published in a 
public file 2 such as a directory, which each device 
can consult. In this public file, there will thus be 
found the public key K A of the device A and the public 
key K B of the device B. 

The private key K' of each device is stored by it 
secretly, typically in a protected non-volatile memory 
area. The device A thus contains in secret memory its 
private key K' A and the device B thus contains in secret 
memory its private key K' B - They also store their 
public key, but in a memory area without any particular 
access protection. 

In such a system, the device A can encrypt a 
message m in a cryptogram c A using the public key K B of 
the device B; the latter can decrypt c A using its 
private key K' B , which it stores secretly. Conversely, 
the device B can encrypt a message m in a cryptogram c B 
using the public K A of the device A. The latter can 
decrypt c B using its private key K' A , which it stores 
secretly . 

Typically, each device comprises at least, as 
shown in Figure 2, processing means 10, that is to say 
a central processing unit (CPU) , comprising notably 
different registers R for the calculation, an interface 
11 for communication with the communication channel, 
and storage means. These storage means generally 
comprise a program memory 12 (ROM, EPROM, EE PROM) and a 
working memory (RAM) 13. In practice, each device 
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stores its secret data in a protected access area 120 
provided in the program memory and its public data in a 
normal access area of this memory. The working memory 
makes it possible to store temporarily, for the time 
5 required for the calculations, messages to be 
encrypted, cryptograms to be decrypted, or intermediate 
calculation results. 

The processing and storage means thus make it 
possible to execute programs related to the 

10 application, and notably to make the calculations 
corresponding to the implementation of the cryptography 
method for the encrypting/decrypting of messages and/or 
the generation/verification of signatures according to 
the invention. These calculations comprise notably, as 

15 will be seen in detail hereinafter, raisings to the 
power, residues, and modular inversions. 

The devices can also comprise a generator 14 for a 
random or pseudo-random number r, which can participate 
in the aforementioned calculations, in certain variant 

20 embodiments. This generator is framed in dotted lines 
in Figure 2, in order to indicate that it is not 
necessary for the implementation of all the variant 
embodiments according to the invention. 

All these means of the device are connected to an 

25 address and data bus 15. 

Such devices used in the invention are well known, 
and correspond for example to those which are used in 
the cryptographic communication systems of the state of 
the art, using the RSA. They will therefore not be 

30 detailed any further. One practical example of a 



AMENDED SHEET 



11 



cryptographic communication system is the system formed 
by banking servers and smart cards, for managing 
financial transactions. However, there are many other 
applications, such as the applications related to 
5 electronic commerce. 

A first embodiment of the invention will now be 
detailed, with regard to the flow diagram shown in 
Figure 3. 

This flow diagram shows a communication sequence 
10 between a device A and a device B on a communication 
channel 20. These devices comprise at least the 
processing, storage and communication means described 
in relation to Figure 2. 

The cryptography method according to the invention 
15 comprises a method of generating public K and private 
K f keys. 

According to the invention, this method of 
generating public and private keys of a device 
comprises the following steps, which are already known 

20 in the document of Yasuko Gotoh et al, published in 
January 1990 in Japan, under the references 
XP000177817, ISSN: 0882-1666, Vol 21, N° 8, pages 11-20, 
of "a method for rapid RSA key generation" from the 
work "Systems and Computers": 

25 - selection of two large prime numbers p and q 

which are distinct and of adjacent sizes; 

- calculation of the number n equal to the product 

p.q; 
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- calculation of the number X (n) =LCM (p-1, q-1) , 
that is to say of the Carmichael function of the number 
n; 

- determination of a number g, 0<g < n 2 , which 
5 fulfils the following two conditions: 

a) g is invertible modulo n 2 , and 

b) ord(g,n 2 )=0 mod n. 

This condition b) indicates that the order of the 
number g in the set (Z/n 2 Z)* of the integer numbers from 
10 0 to n 2 is a non-zero multiple of the number n, 
according to the notations defined above. 

The public key K is then formed by the number n 
and the number g. The private key is formed by the 
numbers p,q and X{n) or only by the numbers p and q, 
15 A.{n) being able to be recalculated at each use of the 
secret key. 

The public and private keys of each device are 
generated according to this method. This generation 
can be effected, according to the devices considered 
20 and the applications, by the devices themselves or by 
an external component. 

Each device, for example the device A, therefore 
contains in memory its public key K A = (n A ,g A ) and, 
secretly, its private key K' A =(p A ,q A ). 
25 In addition, the public keys are put in a file 

accessible to the public. 

According to the invention, it will be seen below 
that it consists in giving a particular value to g. 
This is because it is advantageous to choose g=2, when 
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possible, that is to say when g=2 fulfils conditions a) 
and b) of the signature generation method according to 
the invention. 

An encryption method according to a first 
5 embodiment of the cryptographic method of the invention 
implemented in the device A then consists, for sending 
a message to the device B, of the performance of the 
following steps, with 0<m<n: 

- giving information on the parameters n and g of 
10 the encryption method implemented by the device A by 

means of the public key K B of the second device B: n = 
n B , g=g B , 

- calculating the cryptogram c =g m mod n 2 , and 

transmitting the cryptogram c over the 
15 communication channel. 

The encryption method according to a first 
embodiment of the invention therefore consists in 
taking the parameter g of the public key, raising it to 
the power m, and calculating the modular residue 
20 relatively to n 2 . It should be noted that, in the RSA, 
it is the message m which is raised to the power whilst 
in the invention the message m is used as an exponent. 

The device B which receives the encrypted message, 
that is to say the cryptogram c, then implements a 
25 decryption method according to the invention with the 
parameters of its private key. This decryption method 
comprises the following calculation: 

- calculation of the number m such that 

log n { c A(11> mod n 2 ) 

m = — — —mod n 

log n {g ln, mod n ) 
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where 

log n (x) . 

n 

If g=2, it can be seen that the calculation of 
raising g to the power is facilitated. Therefore 
5 preferably g=2 will be taken, whenever possible. In 
other words, the method of generating the keys will 
commence by seeing whether g=2 fulfils conditions a) 
and b) . 

Different variants of the calculation of the 
10 decryption method can be implemented, which make it 
possible, when the device must decrypt a large number 
of cryptograms, to precalculate certain quantities and 
to store them secretly in the device. One corollary is 
that the secret memory area (area 120 in Figure 2) of 
15 the device must be more extensive, since it must then 
contain additional parameters in addition to the 
parameters p and q. This is not without influence on 
the choice of implementing one variant or another. 
This is because the implementation of a protected 
20 memory area is expensive, and therefore with a 
generally limited (memory) capacity, notably in the so- 
called low-cost devices (for example certain types of 
smart card) . 

In a first variant embodiment of the decryption 
25 device, provision is made for the device, B in this 
case, to precalculate once and for all the quantity: 
cc n ,g= log n (g x ' (n) mod n 2 ) -1 mod n 
and to keep it secret in memory. 
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Thus the time necessary for the decryption of each 
of the messages received by the device is reduced 
accordingly. This is because, when the device B 
executes an instance of this variant of the decryption 
5 method, all that is left for it to do is to calculate: 
m = log n (c X(n) mod n 2 ) a n , g mod n. 

In a second variant embodiment of the decryption 
method according to the invention, provision is made 
for using the Chinese Remainder Theorem, for better 
10 efficiency (speed of calculation) . 

In one instance of this second variant of the 
decryption method, the device performs the following 
(decryption) calculations: 

1 m p =log p (c p_1) mod p 2 ) log p (g p-1 mod p 2 ) -1 mod p 
15 2 m q =log q (c q_1 mod q 2 )log p (g q-1 mod q 2 ) -1 mod q 

3 m=CRT (m p ,m q ,p, q) , 
where 

x — 1 

log (x) and 

P 

x — 1 
log (x) 

q 

20 In this case, provision can also be made, in the 

cases where the device has to decrypt a very large 
number of messages, for the device to precalculate once 
and for all the following quantities: 
a p , g = log p (g p_1 mod p 2 )" 1 mod p and 
2 5 a q , g = log q (g q_1 mod q 2 ) -1 mod q. 

The device must then store these quantities as 
secret data. 
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The calculation made during one instance of the 
decryption method becomes: 

1. m p =log p (c p " 1 mod p 2 ) ct p , g mod p 

2. m q =log q (c q_1 mod q 2 ) a q , g mod q 
5 3. m=CRT (m p ,m q ,p,q) . 

As already stated, all its variant decryption 
calculations are advantageous when the device has to 
decrypt a very large number of messages, and when the 
saving in processing time compensates for the larger 
10 memory capacity of the protected area for storing all 
the secret data. The choice of one or other variant 
depends in practice on the application in question and 
the constraints of cost and processing time to be 
reconciled. 

15 A second embodiment of the invention comprises the 

use of a random number, supplied by a random (or 
pseudo-random) number generator, in the encryption 
method, so that, for the same message m to be 
transmitted, the calculated cryptogram c will be 

20 different on each occasion. The security of the 
communication system is therefore greater. The 
decryption method is unchanged. 

This second embodiment of the invention comprises 
two variants. 

25 In a first variant, the cryptogram c is obtained 

by the following calculation: c=g m+nr mod n 2 . 

In a second variant, the cryptogram c is obtained 
by the following calculation: c=g m r n mod n 2 . 
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This second variant requires in practice a longer 
processing time than the first, but offers greater 
security . 

In a third embodiment of the invention, the 
5 condition is imposed that the order of g in (Z/nZ)* be 
a small integer, this being obtained by the 
implementation of a different key generation method. 

With such a condition on the order of the 
parameter g, the complexity of the calculation of the 
10 decryption method, which in practice becomes quadratic 
(a function of n 2 ) with respect to the size of the 
number n, is reduced. 

In this third embodiment of the invention, the 
method of generating the public and private keys is 
15 then as follows: 

- selecting in secret an integer u and two large 
prime numbers p and q which are distinct and of 
adjacent sizes, such that u divides (p-1) and divides 

(q-D ; 

20 ~ calculating the number n equal to the product 

p.q; 

- calculating the number X (n) =LCM (p-1 , q-1) , that 
is to say of the Carmichael indicator of the number n; 

- determining a number h, 0<h< n 2 , which fulfils 
25 the following two conditions: 

a) h is invertible modulo n 2 , and 

b) ord(h,n 2 )=0 mod n. 

- calculating the number g = h X(n)/u mod n 2 . 
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The public key K is then formed by the number n 
and the number g. The private key consists of the 
integers (p,q,u) stored secretly in the device. 

Preferably h=2 is chosen, when possible (that is 
5 to say if h=2 fulfils conditions a) and b) , in order to 
facilitate the calculation of g) . 

It should be noted that, if u = HCF (p-1, q-1) , it 
is not necessary to store this number, which can be 
found by the device from p and q. 
10 Preferably u will be chosen prime, in order to 

improve the security of the method, and of small size, 
typically 160 bits. By choosing a small size for u, it 
will be seen that the decryption calculation is 
facilitated. 

15 in this third embodiment, the implementation of 

the encryption method to encrypt a message m is 
identical to the one previously described in the first 
embodiment of the invention, the cryptogram being equal 
to c=g m mod n 2 . 

20 it is also possible to calculate the cryptogram c 

by using a random variable r according to the first 
variant of the second embodiment of the invention 
previously described. r is then a random integer, with 
the same size as u, and the cryptogram is obtained by 

25 the following calculation: c=g m+nr mod n 2 . 

The cryptogram c calculated according to one or 
other previous implementation of the encryption method 
is sent to the device B, which must decrypt it. The 
implementation of the decryption method by the device B 

30 which receives the message is a little different. 
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This is because the calculation made in the device 

in one instance of decryption, in order to find the 

number m from the cryptogram c, becomes the following: 

log (c u mod n 2 ) 

m = — mod n . 

log n (g° mod n ) 

5 As before, it is possible to apply variant 

calculations, which make it possible to accelerate the 
processing time needed. 

In a first variant, the quantity: 
P n , g =log n (g u mod n 2 ) -1 mod n 
10 will thus be precalculated once and for all and 

will be stored secretly in memory. 

During one instance of decryption of a cryptogram 
c received, the device then merely has to make the 
following calculation: 
15 m=log n (c u mod n 2 ) p n<g mod n. 

In a second variant, the Chinese Remainder Theorem 
is implemented, using the functions log p and log q , 
already seen for performing the decryption calculation. 

During one instance of this variant of the method 
20 of decrypting the cryptogram c received, the device 
then performs the following calculations: 

1. m p = log p (c u mod p 2 )log p (g u mod p 2 )" 1 mod p 

2. m q = log q (c u mod q 2 )log q (g u mod q 2 )" 1 mod q 

3. m = CRT (m p ,m q , p, q) . 

25 In a third variant, the processing time needed for 

the decryption of the cryptogram c according to the 
second variant is accelerated still further, 
precalculating the following quantities: 
Pp, g = log p (g u mod p 2 ) -1 mod p 
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3q, g = log q (g u mod q 2 )"" 1 mod q 

and storing them secretly in the device. 

During an instance of calculation of this third 

variant of the method of decrypting the cryptogram c 
5 received, the device then merely has to perform the 

following calculations: 

1. m p = log p (c u mod p 2 ) P P , g mod p 

2. m q = log q (c u mod q 2 ) p qjg mod q 

3. m = CRT (m p ,m q , p, q) . 

10 In a fourth embodiment of the invention, the 

encryption method and the decryption method are such 
that they have the particularity of being permutations 
on the group of integers modulo n 2 . In other words, if 
the message m is expressed in k bits, the cryptogram c 

15 obtained by applying the encryption method to m and the 
signature s obtained by applying the decryption method 
to m are also in k bits. 

This particularity confers on the cryptographic 
method the additional property of being able to be used 

20 both for encryption/decryption and for signature 
generation/verification. In this case, the decryption 
method is employed as a signature generation method and 
the encryption method as a signature verification 
method. 

25 In this fourth embodiment, the method of 

generating public and private keys is the same as that 
of the first embodiment of the invention: K=(n,g) and 
K' = (p,q,X(n) ) orK' = (p,q). 
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If the device A wishes to send an encrypted 
message m to the device B, it obtains the public key 
(n,g) from the latter, and then, in one instance of the 
encryption method, then performs the following 
calculations, applied to the number m, 0< m<n 2 : 

1 . mi=m mod n 

2. m 2 =(m-ml)/n (Euclidian division) 

3 . c=g ml m 2 n mod n 2 . 

It is this cryptogram c which is sent to the 
device B. 

The latter must therefore apply the corresponding 
decryption method to it, in order to find mi, m 2 and 
finally m. This decryption method according to the 
fourth embodiment of the invention consists in 
performing the following calculations: 

1. mi=log n {c X(n) mod n 2 ) . log n (g X{n) mod n 2 )" 1 mod n. 

2 . w=cg~ ml mod n . 

3. m 2 =w 1/n mod X{n) mod n. 

4 . m = mi + nm 2 . 

As before, variants of the decryption method 
according to this fourth embodiment of the invention 
are applicable, which make it possible to reduce the 
processing time necessary for decrypting a given 
message. They are advantageous when the device has a 
large number of cryptograms to decrypt. 

A first variant consists in precalculating the 
following quantities: 

a n , g =log n (g Mn) mod n 2 ) -1 mod n and 

y n = 1/n mod X (n) 
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which the device B calculates once and for all and 
keeps secret in memory. 

At each new instance of decryption of a cryptogram 
c received according to this first variant, the device 
B merely has to perform the following calculations: 

1. mi=log n {c X(n) mod n 2 ) a n , g mod n. 

2. w=cg~ ml mod n. 

3. m2=w 1 ' n mod n. 
4 . m = mi + nrri2 . 

In a second variant of the implementation of the 
decryption method according to the fourth embodiment, 
the Chinese Remainder Theorem is used. 

The device which wishes to decrypt a cryptogram c 
according to this second variant then performs the 
following successive calculations: 

mi, p =log p (c p_1 mod p 2 )log p (g p_1 mod p 2 ) -1 mod p 
w p =cg~ ml ' p mod p 
m 2 ,p=w p 1/q mod p- 1 mod p 

mi, q =log q (c q_1 mod q 2 )log q (g q_1 mod q 2 ) -1 mod q 
w q =cg~ ral ' q mod q 
m 2/q =w q 1/p raod mod q 
m!=CRT (mi, p ,m 2 ,p,p, q) . 
m 2 =CRT (mi, q ,m 2 , q ,p, q) . 
m = mi + pqm 2 . 
In a third variant, in order to further improve 
the time for processing the decryption of this second 
variant, the device B can precalculate once and for all 
the following quantities: 

0Cp, g =log p (g p-1 mod p 2 ) -1 mod p 
a q , g =log q (g q_1 mod q 2 ) -1 mod q 
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y p = 1/q mod p-1 
y q = 1/p mod q-1 

and keep them secret in memory. 

The device which wishes to decrypt a cryptogram c 
according to this third variant merely has to perform 
the following calculations: 

1. m liP =log p (c p_1 mod p 2 ) a p , g mod p 

2. w p =cg- ml ' p mod p 

3. m 2 , p =w p rp mod p 

4. mi,q=log q (c q_1 mod q 2 ) a q , g mod q 

5. w q =cg" ml,q mod q 

6. m 2 , q =w q Yq mod q 

7. mi=CRT (mi, p/ m 2 ,p,p,q) . 

8. m 2 =CRT (mi, q ,m 2 , q ,p,q) . 
9 . m = mi + pqm 2 . 

The fourth embodiment of the invention which has 
just been described makes it possible to carry out the 
signature generation/verification. As shown in the 
flow diagram in Figure 4, if the device B has to 
generate a signature s of a number m representing a 
message to the device A, it applies, as a signature 
generation method, the decryption method with its 
private key: s=D K ' B (m). 

The device A, which receives the signature s and 
which knows the message m, checks that the signature is 
correct by calculating the quantity v obtained by 
applying the encryption method to the signature s with 
the public key: v=E KB (s). If the signature is correct, 
v=m. 
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All the variant embodiments of the decryption 
method of this fourth embodiment which make it possible 
to accelerate the processing time are also clearly 
applicable in signature generation/verification. 
5 The invention which has just been described is 

applicable in all the systems in which it is wished to 
be able to encrypt and/or sign messages. It broadens 
the possibilities of adaptation to different 
applications, depending on whether more security is 

10 sought, or increased processing speed. In this regard, 
it should be noted that the third embodiment of the 
invention, whose calculation complexity is only 
quadratic (function of n 2 ) offers a real advantage in 
terms of speed, in so far as all the methods of the 

15 state of the art have a higher order of complexity 
(function of n 3 ) . Such an advantage more particularly 
relates to all the applications using portable devices, 
such as smart cards and more particularly low-cost 
devices . 

20 Finally, any person experienced in the art to 

which the invention relates will understand that 
modifications to the form and/or details can be made. 
In particular the signature can be encrypted, or a hash 
function can be applied to the message m before 

25 calculating its signature. This makes it possible to 
have notably a different signature each time even if 
the message m is unchanged. 
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CLAIMS 

1. A cryptographic method comprising a method of 
generating public (K) and private (K' ) keys in a device 

5 able to exchange messages on at least one communication 
channel, the private key having to be stored secretly 
in the said device and the public key having to be 
broadcast publicly, the generation method comprising 
the following steps: 
10 - selecting two prime numbers p and q which are 

distinct and of adjacent sizes; 

- calculating the number n equal to the product 

p,q; 

- calculating the lowest common multiple of the 
15 numbers (p-1) and (q-1): X (n) =LCM (p-1 , q-1) 

- determining a number g, 0<g<n 2 , which satisfies 
the following two conditions during the calculation of 
a cryptogram c: c=g m mod n 2 : 

a) g is invert ible modulo n 2 , and 
20 b) ord(g,n 2 ) = 0 mod n, 

the public key of the said device being formed by 
the parameters n and g and its private key being formed 
by the parameters p,q and X.(n) or by the parameters p 
and q, a generation method characterised in that it 
25 consists in taking g=2, if g satisfies the said 
conditions a) and b) . 

2. A cryptographic communication system with 
public and private keys generated according to Claim 1, 
comprising a communication channel (20) and 

30 communicating devices (A, B) , each device comprising at 
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least one communication interface (11), data processing 
means (10) and storage means (12, 13), characterised in 
that an encryption method is implemented in a first 
device (A) in order to send a number m representing a 
5 message, 0<m<n, to a second device (B) , the said 
encryption method comprising the following steps: 

- using the parameters of the public key (n B ,g B ) 
of the second device (B) in order to assign the values 
of the public key (n B ,gB) to the parameters n and g, 

10 - calculating the cryptogram c=g™mod n 2 , 

the said cryptogram c then being transmitted over 
the communication channel to the second device. 

3. A system according to Claim 2, characterised 
in that the device implementing the encryption method 

15 also comprises a generator (15) for a random integer 
number r, and in that the said device: 

- performs the drawing of a random integer number 
r, and then 

- calculates the cryptogram c by performing the 
20 following encryption calculation: c=g m+nr mod (n 2 ) . 

4. A system according to Claim 2, characterised 
in that the device implementing the encryption method 
also comprises a generator (15) for a random integer 
number r, and in that the said device: 

25 - performs the drawing of a random integer number 

r, and then 

- calculates the cryptogram c by performing the 
following encryption calculation: c=g m r I1 mod (n 2 ) . 

5. A system according to Claim 4, characterised 
30 in that the second device (B) implements a decryption 
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method, in order to decrypt the said cryptogram c, and 
which comprises the performing of the calculation 
m= log n (c X(n> mod n 2 ) . log n {q x< - n) mod n 2 ) -1 mod n 
x — 1 

where log n (x) = . 

n 

5 a being any integer 

6. A system according to Claim 5, characterised 
in that a device (B) implementing the said decryption 
method precalculates the quantity: 
a n , g =log n (.q X[n) mod n 2 ) -1 mod n 
10 and stores it secretly in the protected area of 

the program memory, x being any integer. 

1. A system according to Claim 5, characterised 
in that, in one instance of the said decryption method, 
a device performs the following calculation steps, 
15 using the Chinese Remainder Theorem CRT: 

m p =log p (c p_1 mod p 2 ) .log p (g p_1 mod p 2 ) -1 mod p. 
m q =log q (c q_1 mod q 2 ) .log q (g q_1 mod q 2 ) -1 mod q. 
m=CRT (m p ,m q , p, q) , where log p and log q are such that 
x — 1 

log i (x) = 

l 

20 x being any integer. 

8. A system according to Claim 7, characterised 
in that a device implementing the said decryption 
method precalculates the following quantities 
cXp, g = log p (g p-1 mod p 2 ) -1 mod p and 
25 cc q , g = log q (g q_1 mod q 2 )" 1 mod q 

and stores them secretly in the protected area of 
the program memory. 
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9. A cryptographic communication system with 
public and private keys generated according to Claim 1, 
comprising a communication channel (20) and 
communicating devices ( A, B) , each device comprising a 
5 communication interface (11) , data processing means 
(10) and storage means (12, 13), characterised in that 
an encryption method is implemented in a first device 
(A) for sending a number m representing a message, 0<m< 
n 2 , to a second device (B) , the said encryption method 
10 comprising the following steps: 

- using the parameters of the public key K B =(n B ,gB) 
of the second device (B) in order to assign the values 
of the public key (n B ,g B ) to the parameters n and g, 

- and performing the following calculations: 
15 1 . mi=m mod n 

2 . m 2 = (m-ml ) /n 

3 . c=g ml m 2 n mod n 2 

the said cryptogram c being transmitted over the 
communication channel to the second device. 

20 10. A system according to Claim 9, characterised 

in that the second device (B) receives the cryptogram c 
and implements a decryption method, in order to decrypt 
the said cryptogram which comprises the performance of 
the following calculation steps: 

25 1. mi=log n {c Xin) mod n 2 ) . log n (g X(n) mod n 2 ) -1 mod n 

2. w=cg~ ml mod n 

3. m 2 -w 1/nmod Mn) mod n 
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11. A system according to Claim 10, characterised 
in that a device implementing the said decryption 
method precalculates the following quantities: 

a n , g =log n (g x<n) mod n 2 ) -1 mod n and 
y n = 1/n mod X(n) 

and stores them secretly in the protected area of 
the program memory. 

12. A system according to Claim 10, characterised 
in that, in one instance of the said decryption method, 
a device performs the following calculation steps, 
using the Chinese Remainder Theorem: 

1. m 1(P =log p (c p_1 mod p 2 )log p (g p_1 mod p 2 )" 1 mod p 

2. Wp=cg _ml ' p mod p 

3. m 2 , p =w p 1/q mod P" 1 mod p 

4. mi, q =log q (c q_1 mod q 2 ) . log q (g q_1 mod q 2 ) -1 mod q 

5. w q =cg~ ml,q mod q 

6. iri2,q=w q 1/p mod q_1 mod q 

7. mi=CRT (m 1 , p ,m 2 ,p,p, q) . 

8. m 2 =CRT (m 1 , q ,m 2 , q ,p, q) . 

9. m = mi + pqm 2 where log p and log q are such that 

x — 1 
log i (x) = — : — . 



13. A system according to Claim 12, characterised 
in that, in one instance of the said decryption method, 
a device precalculates the following quantities: 

a Pr g=log p (g p_1 mod p 2 ) -1 mod p 

a q , g =log q (g q_1 mod q 2 ) -1 mod q 

y p = 1/q mod p-1 

y q = 1/p mod q-1 
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and stores them secretly in the protected memory 
area of the program memory. 

14 . A system according to any one of Claims 10 to 
13, in which the decryption method is used for 
calculating the signature s of a message m and the 
encryption method is used for verifying the said 
signature . 

15. A cryptographic communication system with 
public and private keys generated according to Claim 1, 
comprising a communication channel (20) and 
communicating devices (A, B) , each device comprising a 
communication interface (11), data processing means 

(10) and storage means (12, 13), characterised in that 
an encryption method is implemented in a first device 

(A) in order to send a number m representing a message, 
0<m<n, to a second device (B) , the said encryption 
method comprising the following steps: 

- using the parameters of the public key (n,g) B of 
the second device (B) in order to assign the values of 
the public key (n B ,g B ) to the parameters n and g, 

- calculating the cryptogram c=g m mod n 2 , 

the said cryptogram c then being transmitted over 
the communication channel to the second device. 

16. A system according to Claim 15, characterised 
in that the device implements the encryption method 
also comprising a generator (15) for a random integer 
number r, and in that the said device: 

- performs the drawing of a random integer number 
r, and then 
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- calculates the cryptogram c, performing the 
following encryption calculation: c=g m+nr mod(n 2 ) . 

17. A system according to Claim 15 or 16, 
characterised in that the second device implements a 

5 method of decryption of the received cryptogram c, 
comprising the performance of the following 
calculation : 

m= lognCc^od n 2 ) . log n (g u mod n 2 )" 1 mod n. 

18. A method according to Claim 17, characterised 
10 in that a device implementing the said decryption 

method precalculates the quantity: 
3n, g =log n (g u modn 2 ) ~ 1 mod n 

and stores it secretly in the protected area of 
the program memory. 
15 19. A system according to Claim 17, characterised 

in that, in one instance of the said decryption method, 
a device performs the following calculation steps, 
using the Chinese Remainder Theorem: 

1. m p =log p (c u mod p 2 ) .log p (g u mod p 2 )" 1 mod p 
2 0 2. m q =log q (c u mod q 2 ) .log q (g u mod q 2 ) -1 mod q 

3. m =CRT (m p ,m q ,p, q) , where log p and log q are such 

that 

x — 1 

log. (x) = — ; — 
1 

x being any integer. 
25 20. A system according to Claim 19, characterised 

in that a device implementing the said decryption 
method precalculates the following quantities: 

Pp,g=log n (g u mod p 2 ) -1 mod p 

P q , g =log n (g u mod q 2 ) -1 mod q 
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and stores them secretly in the protected area of 
the program memory. 
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